Lateral movement is a technique used by cyber attackers to infiltrate and move through a network with the intent of obtaining secure data.
The term “Lateral Movement” has been around for a little over four years and was in the news when ransomware like WannaCry and APT’s like APT28 and APT29 used lateral movement techniques. Most often an attacker may not have direct access to a machine or resource on the internal network, which the attacker considers a prized trophy. The prized trophy may be the domain controller, a machine hosting confidential information, or the attacker may have planned to get access to all internal machines to have them added to a botnet. In such a situation, the attacker would aim for a weak link in the target network which the attacker can infiltrate. This weak link may be an unsuspecting user, an unpatched computer, an exposed Wi-Fi etc. Once the attacker has control over this weak link, the attacker would then use that access to identify other resources on the internal network and try to infiltrate them until the objective of attacking the network is accomplished. The methods employed by the attacker to identify resources on the internal network, gather information or credentials from an infiltrated host and use the gathered information to gain control of other resource on the internal network, are called “Lateral Movement Techniques”. The discussion in this blog is centred around Windows OS. However, any OS environment can be affected by the techniques discussed below.
In the malware samples that were studied recently, especially APT28 and APT29, some of the techniques described below were employed for moving within the internal network. The steps need not be in the exact order as shown below and the attacker or malware may use just a few.
– In this stage, the attacker gains access to one or more machines in the internal network. This could be via:
– Once the infiltration stage is complete, it may so happen that the infiltrated machine was not the final objective of the attack. In this stage, the attacker can employ tools already existing on the system like the “net.exe” command or upload tools like “NetSess.exe”, “smbat”, scanners etc. Nmap and Metasploit comes with built in scripts that helps collect useful information from internal hosts. The attacker typically tries to find answers to following questions
The successful outcome of this stage is that the attacker has identified other machines, sessions, user accounts etc on the internal network.
– When a user logs into a Windows machine, the user password is hashed and is cached in the LSASS process memory. Using tools like Mimikatz, an attacker can extract these cached credentials from the LSASS memory. If this were a machine on which a domain administrator had logged in, the attacker would now have access to the cached credentials. Even if the extracted credential is the hashed password, the attacker could still use this hashed password in a technique called “Pass the hash” attack to execute commands on another machine posing as the domain administrator. This is afforded by an inherent weakness in the NTLM authentication used by the SMB protocol which is the language Windows machines use to talk to one another. A more serious scenario is when the attacker has been able to harvest the NTLM password hash for the “krbtgt” account of a domain controller giving the attacker the ability to create Kerberos TGT at will. This is also known as the “Golden Ticket Attack”. The Mimikatz tool also has a module that patches the LSASS process, so the attacker can authenticate as any user, while the affected users continue as normal using their usual credentials. This is known as the “Skeleton Key Attack”.
– An attacker on the internal network could affect other machines on the network in the following ways
– Attackers and malware prefer to remain hidden, survive a reboot and be active. Some interesting malware samples that used persistence in novel ways are mentioned below.
This blog provided a very high-level view of what “Lateral Movement” is and some of the prominent techniques employed by attackers and malware. Threat actors have increasingly started using these techniques, especially the Windows WMI, to gain and maintain access to machines. In future blogs, we will be studying some techniques like pass-the-hash and skeleton key attack in detail and understand how tools like Mimikatz harvest credentials, how WMI attacks work and dissect malware samples that employ these techniques. This will help provide a deeper understanding of how threat actors work today and how to protect your internal network.
Versa VOS™ (formerly FlexVNF) via its IPS and AV engines provides protection from these threats. The AV engine detects the malware binaries that employ these lateral movement techniques. The IPS engine provides additional protection by inspecting network traffic and identifying WannaCry network activity and network activities typically seen with tools like Responder. Versa Networks also supports the detection of lateral movement techniques in a Windows environment. The security engine can detect network activity that’s indicative of psexec, pass-the-hash, remote service launch, task scheduling and more.
To learn more contact us or reach out to request a demo and see how Versa Networks can secure the branch and WAN edge.
Subscribe to the Versa Blog
Gartner Research Report